0

I'm developing an application in Flutter and I'm facing a problem. I would like to use Google Maps in my application and for that I need an API key. For security reasons, I chose to use dot env to "mask" this key so that it is not exposed in my code. But here comes the problem, the key value must be used in the AndroidManifest.xml file, and according to the flutter_dotenv documentation, to use the key value I must import the dependency

import 'package:flutter_dotenv/flutter_dotenv.dart';

and use the method

dotenv.env\['VAR_NAME'\];

But this is not possible in the AndroidManifest file, since it is not a Flutter code file. I searched for other alternatives, such as a Python script and others, but all of them somehow injected the API key into the file and it was exposed. Can any professional in the area, or someone who has a solution, help me?

Improve this question

3 Answers 3

Reset to default
0

It seems the Google Maps SDK is designed to be used from the client (on the device), but security comes from restrictions you apply from the Google Cloud Console:

You can say: "Only allow this key to be used if the call comes from an app with package name X and SHA-1 Y."

This way, even if someone sees your key, they won't be able to use it in their own app.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Environment variables using flutter_dotenv cant be gotten on the native side.

A solution is to pass the env file at compile time using --dart-define-from-file. To read the environment variable natively, you can use https://pub.dev/packages/flutter_env_native.

Improve this answer

Comments

0

If you're using Google Maps in your Flutter app and want to avoid exposing your API key (especially in version control), here's a secure and professional way to handle it using local.properties and Gradle.

Add the API key to local.properties

In the root of your project (same level as android/), open or create the local.properties file and add:
maps.apikey=YOUR_API_KEY_HERE

Do not commit local.properties to version control. It should remain local.

Open android/app/build.gradle, and at the top (before android {}), load local.properties like this:

def localProperties = new Properties()
def localPropertiesFile = rootProject.file('local.properties')
if (localPropertiesFile.exists()) {
    localPropertiesFile.withReader('UTF-8') { reader ->
        localProperties.load(reader)
    }
}

Then, in the defaultConfig block inside android {}, pass the key to the manifest using manifestPlaceholders:

defaultConfig {
    ...
    manifestPlaceholders += [mapsApiKey: localProperties['maps.apikey']]
}

Use the key in AndroidManifest.xml

android/app/src/main/AndroidManifest.xml, and use the placeholder like this:

<meta-data
    android:name="com.google.android.geo.API_KEY"
    android:value="${mapsApiKey}" />
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.